Zac Anger's Blog

Digital Security Guide


Tags: security

Crossposted from ProleSoft

Most major tech companies sell your data to advertisers and governments. You need to stay safe online, so you should be careful about what you use and how you use it.

All the recommendations here are just that: recommendations. Most users will not need to follow everything in this guide.


You should try to avoid anything hosted in, or owned by, a company in the US. You should also use end to end encryption wherever possible.

Don't use your real name, real address, or information that could be linked to your identity in sensitive situations. This includes social media, photos, email addresses, location, and anything else that could be linked to your identity. If you host a website, use WHOIS privacy protection.


This section is not a guide on unionizing, just security recommendations.

Do not use company Email, Messaging (Slack, Hipchat, etc.), phones, computers, networks, or other resources for organization. A simple rule of thumb is: If the company pays for it, don't use it. You have no protection under labor law if you do. Check your company handbook/policies to see what they can access or claim they can access, because you may also want to avoid organizing on your own devices during work hours. Follow the other recommendations in this guide for what apps and services to use, especially when it comes to messaging and email.


Use passphrases over passwords if you need to be able to remember it. Prefer random passwords generated by a password manager like KeePassXC or Bitwarden when you can. Never reuse passwords anywhere, and rotate your passwords regularly. Check for password/phrase security here, and check regularly to see if your data has been involved in a leak here (Firefox has this feature built in now).


Using GnuPG (an implementation of PGP) takes some practice, but is worth it for encrypting files manually and sending encypted emails. Check out this guide to getting up and running with GPG.


Prefer almost any OS over Windows. Windows is buggy, full of telemetry (read: Microsoft Spyware), and insecure. If you're tech savvy, learning Linux is a good route. You could try Xubuntu as a good starter distro. If you're very tech-minded, you could try OpenBSD or FreeBSD. Mac OS is also a better choice than Windows, but comes with some of the same vendor lock in (and a huge price tag).

For extreme needs, you should look into Tails or Qubes.

Whichever OS you use, you absolutely need to enable Full-Disk Encryption

For mobile, both iOS and Android are okay options, as long as you keep them up to date and don't install anything requiring permissions it shouldn't need. In the Android world, you could also look into Lineage, UBPorts (Ubuntu Phone fork), and other hobbyist OSs and phones.


Avoid Chrome. Google's business model is surveillance, and their browser exists to collect your data. Also avoid Internet Explorer (it's unmaintained and insecure), Microsoft Edge (because of the telemetry), and anything closed-source or proprietary (which rules out Opera and Vivaldi).


Avoid Google, Microsoft, Yahoo, and other US companies. Also try to avoid companies that want your real name. Protonmail is in Switzerland and has a free plan. Tutanota also has a free plan, and is in Germany. See the links at the bottom of the page for more recommendations.


You need end-to-end encrpytion for anything sensitive. This means your communications should be encrypted in transit (TLS 1.2 is the only thing you should accept as of early 2020), and also encrypted at rest (on the server where they're stored) without the company running the messaging platform being able to read them. If communications are not E2EE, you should treat them as if they're public.

Use Signal for an SMS/KakaoTalk/WhatsApp alternative, and Riot/Matrix for group chat.


Enable MFA wherever possible. Authy is a convenient MFA app that isn't tied to a specific device or external (Google, Apple) account. For a hardware device, check out YubiKey.

Use DuckDuckGo, Startpage, or Searx for search.


Use youtube-dl to watch videos from almost any website, and Invidious to watch YouTube videos. Play videos locally with MPV.


Change your default DNS provider, which is probably your ISP or Google, to something like BlahDNS or SecureDNS. See the links at the bottom of the page for more recommendations. Avoid DNS providers hosted or run in the US, providers that have logging, and providers that do not have DNSSEC. You can also use Pi-hole, Unbound, or other systems to block trackers, ads, and other bad IPs. Lists to get you started are available here.


Use a VPN with no logging, that is not hosted or run by a company in the US:


Avoid proprietary and exploitable formats. That means no Microsoft Word doc/docx and no PDFs if possible. Plain text formats (txt, md, html, etc.) allow reading through any application and limit the chance of executing arbitrary code. Use plain text editors that are open source and not made by major US companies (avoid Google Docs, VS Code, Atom, etc.) as much as you can, and use LibreOffice when you can't. Encrypt any documents that contain sensitive data, like information that could be used to identify someone, schedules, and addresses.


Dropbox is a US company, and stores your data on their servers. Prefer a self-hosted alternative like Seafile, Syncthing, Syncany, or SparkleShare. Encrypt any sensitive files.